Cyber Crime

FIN7 hackers target enterprises with weaponized USB drives via USPS

The FIN7 APT group has been targeting businesses with malicious USB drives and Teddy Bears sent to the victims, the FBI warns.

The FBI is warning of a new wave of attacks carried out by the FIN7 APT group that is sending to the victims devices acting as a keyboard (HID Emulator USB) when plugged into a computer.

“Recently, the cybercriminal group FIN7,1 known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS).” reads the alert issued by the FBI. “The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles,”

Upon connecting the device to a computer, it injects commands to download and execute a JavaScript backdoor tracked as GRIFFON.

One of these attacks was analyzed by experts from Trustwave, one of the clients of the cybersecurity firm received a letter was supposedly from Best Buy giving out a $50 gift card to its loyal customers. The letter also includes an apparently harmless USB drive that claims to contain a list of items to spend on.

The packages have been sent to several businesses, including retails, restaurants, hotels. The malicious devices were sent to employees in human resources, IT, or executive management departments.

The weaponized drive emulates keystrokes that launch a PowerShell command to retrieve malware from a remote server. The experts observed malicious code contacting domains or IP‌ addresses in Russia.

It is quite easy to find development boards like Arduino that could be configured to emulate a human interface device (HID) such as keyboards and launch a pre-configured set of keystrokes to load and execute any sort of malware.

“To start the analysis, we inspected the drive for inscriptions such as serial numbers. At the head of the drive on the printed circuit board we saw “HW-374”. A quick Google search for this string found a “BadUSB Leonardo USB ATMEGA32U4” for sale on shopee.tw.” reads the analysis published by Trustwave.

“This USB device uses an Arduino microcontroller ATMEGA32U4 and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.”

Trustwave experts noticed two PowerShell commands that lead to displaying a fake message box warning of errors on the thumb drive.

The Powershell scripts then run third-stage JavaScript that gathers system information and drops other malware. According to the FBI’s alert, once gathered the information on the target, FIN7 threat actor starts to move laterally seeking administrative privileges.

“After this gathered information is sent to C&C server. The main Jscript code enters an infinite loop sleeping for 2 minutes in each loop iteration then getting a new command from the command and control.” continues the analysis.

“In summary, once a USB controller chip is reprogrammed to unintended use (in this case as an emulated USB keyboard) these devices could be used to launch an attack and infect unsuspecting users’ computer without them realizing it.” concludes Trustwave.

“These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals “in the wild.”

Let me close with a comment from the popular white-hat hacker Luca Bongiorni, the evil mind behind @whid_injector & @potaebox.

“The fact that FIN7 and other cyber gangs started conducting attacks via USB sticks suggests that the defenses against spear-phishing are exponentially improving,” said Bongiorni.

“Probably soon, attackers will move from simple USB sticks to more advanced solutions like a USB cable (e.g. #USBsamurai or #EvilCrow). Using a “malicious implant” inside them attackers could conduct BADUSB type attacks. Let’s think of a mouse or a USB fan embedding #WHIDelite.

An example of remote control via GSM network via a USB keyboard inside which a #WHIDelite is available here:

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – FIN7, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws…

2 hours ago

Mirai botnets exploit Wazuh RCE, Akamai warned

Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai…

5 hours ago

China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns

China-linked threat actor targeted over 70 global organizations, including governments and media, in cyber-espionage attacks…

9 hours ago

DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes,…

21 hours ago

OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops

OpenAI banned ChatGPT accounts tied to Russian and Chinese hackers using the tool for malware,…

1 day ago

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a…

1 day ago